The password managers They have become a type of highly recommended tool for users who manage a large number of passwords, especially seeing how most of us use the internet.

The use of an administrator is recommended mainly because the user cannot remember a large number of passwords. This carries the risk of repeating them through different services, the situation is made worse if the same username is used, which usually corresponds to an email account. If you’re using the memory in your head to store passwords, in addition to repeating them, you’re likely to end up generating not-so-strong phrases that may be susceptible to detection using a brute-force attack, i.e. trying out possible passwords. one by one until you find the right one.

In addition to non-repetition and the ability to generate strong passwords and store a large number of them, there are other features that should be considered when considering using a manager:

• Online and offline access: There are offline administrators who store passwords locally or on a USB drive, and others who work online and are responsible for syncing over the cloud, of course using encryption to protect content. Online administrators are more convenient, especially if you want to have the same passwords on several computers, but there are many people who do not trust them and continue to use offline administrators, which transfer the responsibility of transferring passwords from one place to another to the user. In fact, the risks of online managers are so real that we have the case of LastPass.
• Two-step verification: Two-factor authentication has become a mechanism that many services already require to use to guarantee that the accessor is legitimate and not a malicious actor. If a password manager supports two-step verification, that’s a plus to consider.
• The integration with web browsers This is another important factor as it minimizes interaction with passwords and automates access to various websites. This should be achieved by simply installing the corresponding plugin.
• Automatic password capture: If we continue with the add-on for web browsers, it is recommended that the password manager asks the user if he wants to save data when he accesses the service with his account and password. Some managers are able to detect password update processes.
• Automatic security alerts: Some password managers warn when a service or website has been hacked and user access data has been or may have been compromised. If the warning goes out, it is advisable to update the corresponding password as soon as possible.
• Make it a portable app and/or with mobile support: Ideally, the password manager should be a portable application, in other words one that can be carried on a pen drive and does not require installation. Another desirable option would be for it to have a version for mobile phones and tablets so that passwords can be managed from anywhere if it is a cloud-based service.
• Security audits: This is used to detect if the user has weak or repeated passwords in their trunk. Obviously, if they are detected, it is advisable to change the corresponding passwords as soon as possible.
• One-time passwords: One-time passwords allow, as their definition implies, that a user can only access the password manager once, which strengthens the system in case it is compromised due to the same password not being useful on another occasion.
• Share passwords: Some managers allow you to securely share passwords with friends, either within or outside of the password manager itself, although this feature doesn’t seem very attractive given the times we live in.

Why open source password managers are important

We live in a time where privacy is becoming an increasingly important issue. Not only malicious actors who attack servers or PCs to obtain compromising data come into play here, but also the lack of transparency in most of the software we use in our daily lives.

Recently, we’ve seen Microsoft receive heavy criticism for its use of artificial intelligence in Windows, and features like Recall have finally awakened the sensibilities of many. This is nothing more than the latest episode in the history that the Redmond giant expands when it comes to doubting the real privacy that Windows provides, since since Windows 10 the system has implemented telemetry, which is supposed to be quite intrusive.

Another piece of software traditionally heavily criticized for privacy-related issues is Google Chrome, the search giant’s browser, which has been accused of spyware. Here, the Mountain View giant’s business model, which has targeted advertising as one of its mainstays, does not help to improve the image that many have of the app, which is currently by far the most popular in its segment.

What do Windows and Google Chrome have in common? Well, both are proprietary software, so auditing what they actually do isn’t that easy at first. as if they were open source. No one doubts that Microsoft and Google conduct security audits of their software, but they are conducted through contracts that contain draconian confidentiality requirements. In other words, Windows and Google Chrome cannot be freely audited, which can be done with open source software.

At this point, open source password managers are important because their source code is auditable and therefore it is possible to know what they are doing. However, there are still holes, such as the fact that the client can be open source, but the server can be proprietary, so in the case of online managers operating under this structure, it is impossible to know what is happening with the data. which are in the cloud, even though they should be encrypted and accessible only to their rightful owner.

Still, the fact that only the client is open source is a step forward because at least you can see if the data being sent is exactly what it should be, or if there is some type of collection that covers things it shouldn’t. This can also apply to password managers who only work offline, as proprietary software can always hide nasty things.

As a final point before mentioning the list of managers, it does not hurt to recall this Open Source does not mean invincibility against security bugs, because it depends more on code quality and constant and proper maintenance. Despite everything, the fact that code can be freely audited will always be a greater guarantee of privacy than proprietary software.

Four popular open source password managers

Bitwarden

Bitwarden is probably the most popular online open source password manager. It officially supports the most popular web browsers, iOS, iPadOS, watchOS, Android and has apps for Windows, Linux and macOS. Due to the fact that the client’s source code is published under the GPLv3 license, it offers maximum transparency and theoretical ease of porting it to other systems, either through a port or another derivative project based on the original code.

Bitwarden server part as well It is Open Source as it is published under the AGPLv3 license., although some proprietary modules are used on this front. This, together with the APIs that those in charge make available, makes it possible to decentralize the password manager and implement it, for example, at the company level.

At the level of user-oriented features, we find an encrypted trunk, access via two-factor authentication, password-free access, a random password generator and biometric unlocking. It has payment plans with some additional features to contribute to the sustainability of the project.

KeepPass

And I will jump into a veteran project, officially born in 2003, which is probably the most popular in its segment among offline solutions. KeePass stores passwords in an encrypted database that can be accessed using a password or digital key. Initially it was only available for Windows, but there is a derivative called KeepPassXC offers true cross-platform support. Because it is free software, has a large number of unofficial forks and derivatives for many different operating systems, including mobile.

Its features include two-factor authentication and provides protection against keyloggers (software dedicated to recording keystrokes), multi-user support, clipboard reset, password generator and plugin support. Browser plugins must be installed separately.

KeepPassXC

Proton Pass

This is a younger project that comes from the same people behind the encrypted email service Proton Mail. At first it was only available for Android and iOS, but over time it also made its way to Windows, Linux and macOS. The advantage of the company behind it is that it’s based in Switzerland and not the United States, in case anyone doesn’t trust how the North American country works.

Because password managers are nothing new in themselves, but on the contrary, in Proton Pass we find a repository and encrypted synchronization between devices, password generator, two-factor authentication, Passkey support, import and export, web browser integration via extensions and security alertsBesides.

An interesting feature of Proton Pass is the integration with Proton Sentinel, a new security service powered by artificial intelligence, but only subscribers to the Pass Plus payment plan (€4.99 per month or €23.88 per year) can benefit from it. to access advanced features such as offline use.

padlock

The Padloc website says it “not only helps remember all your passwords, but also securely stores credit cards, notes, documents and more” use end-to-end encryption. There’s nothing that can’t be done with Bitwarden for example, but it doesn’t hurt to consider more open source alternatives in a segment where transparency should be important.

Padloc officially supports Linux, Windows, macOS, iOS, and Android, and provides extensions for Google Chrome and Firefox, so with the exception of Microsoft Edge, it supports virtually all popular consumer software, and the Chrome extension should be able to be installed in Edge. Its source code is published under the AGPLv3 licenseso it can be considered hardline free software.

Finally, and although Padloc is free to use, it offers several paid plans with additional features such as multi-factor authentication and 1GB of encrypted file storage.

Conclusion

These four examples are among the most popular open source password managers and are also easy to use, or at least relatively easy to use. Obviously, there are many other options with different points of view, but knowing which one is ideal leads us to a typical process of trying until we find what the user likes the most or fits best.

As I said before, open source itself is not a panacea in terms of security, but it is an added value that at least allows us to verify that the administrator is not doing anything strange, something that cannot be detected with 100% security in proprietary software.